By : Owen Wild
May 03, 2018 12:00 PM
When it comes to ATM security, much of the focus in recent months has been on the growing threat posed by network attacks and malware that can compromise a machine remotely. But could this be resulting in ATM operators spending less time on a more direct problem - that of physical attacks on ATMs?
With recent reports of 'jackpotting' attacks in the US that have involved criminals gaining direct access to machines, ensuring the physical safety of ATMs is more important than ever right now. But there is still work to be done in this area.
This was one of the topics up for discussion at a recent ATM Industry Association conference in Las Vegas, where several experts participated in a workshop to debate the issue.
One of the most common issues within the industry at the moment is that some financial institutions are focusing their attentions more on convenience than security when it comes to managing their ATM network. This is something that can be seen from initial deployments, where banks are determining the most suitable location for a machine, to maintenance and replenishment.
For example, one of the speakers at the workshop, managing editor for Bankers Hotline P. Kevin Smith, highlighted one bank where employees had stored an extra $40,000 within an ATM. This was in addition to its actual cassette capacity of $40,000 and was intended to make it easier to restock the machine. Of course, this meant that when the bank fell victim to a theft, it lost $80,000 instead of $40,000 - a high price to pay for a little extra convenience.
Therefore, banks need to address this imbalance and ensure they swing the pendulum back towards security. One useful strategy for financial institutions in the US would be to look to what their counterparts in Europe have been doing, as physical attacks are a much bigger part of the landscape there. "Attacks on ATMs have been huge over there, and it's coming here," Mr. Smith said.
Whether it is combatting an emerging threat such as ATM jackpotting or coping with familiar risks such as skimming, banks may have to rethink how they approach their physical ATM security if they are to successfully minimize their risk.
Randall Phillips, of the security firm Thompson Consulting Group, told the workshop that unlike many European banks, financial institutions in the US tend to weigh the risk of attack against their tolerance for financial losses, and take action only after this threshold is breached.
However, this is likely to be the wrong approach, as it is too reactive and can leave banks more exposed to threats. Mr. Philips said: "Depending on what you're seeing out there, if you're not experiencing it, that doesn't mean you can't prepare for it."
When it comes to skimming, for example, there are a couple of key steps that businesses can take to reduce their risk. Mr. Smith noted that offering incentives to employees for being vigilant can prove effective. He highlighted one case where his bank offered $1,000 rewards to employees who found a device on one of its ATMs. Three such devices were found, which Mr. Smith said was "$3,000 well spent" to protect the company and its customers from criminals.